ip spoofing
TRANSCRIPT
IP Spoofing, CS265 1
IP SpoofingIP SpoofingBao HoBao Ho
ToanTai VuToanTai Vu
CS 265 - Security EngineeringCS 265 - Security EngineeringSpring 2003Spring 2003
San Jose State UniversitySan Jose State University
IP Spoofing, CS265 2
Presentation OutlinePresentation Outline Introduction, BackgroundIntroduction, Background Attacks with IP SpoofingAttacks with IP Spoofing Counter MeasuresCounter Measures SummarySummary
IP Spoofing, CS265 3
IP SpoofingIP Spoofing IP Spoofing is a technique used to gain IP Spoofing is a technique used to gain
unauthorized access to computers.unauthorized access to computers.– IP: Internet ProtocolIP: Internet Protocol– Spoofing: using somebdody else’s informationSpoofing: using somebdody else’s information
Exploits the trust relationshipsExploits the trust relationships Intruder sends messages to a computer with Intruder sends messages to a computer with
an IP address of a trusted host.an IP address of a trusted host.
IP Spoofing, CS265 4
IP / TCPIP / TCP IP is connectionless, unreliableIP is connectionless, unreliable
TCP connection-orientedTCP connection-oriented
TCP/IP handshakeTCP/IP handshake
A B: SYN; my number is XB A: ACK; now X+1 SYN; my number is YA B: ACK; now Y+1
IP Spoofing, CS265 5
A blind AttackA blind AttackHost I cannot see what Host V send backHost I cannot see what Host V send back
IP Spoofing, CS265 6
IP Spoofing StepsIP Spoofing Steps Selecting a target host (the victim)Selecting a target host (the victim) Identify a host that the target “trust”Identify a host that the target “trust” Disable the trusted host, sampled the target’s TCP Disable the trusted host, sampled the target’s TCP
sequencesequence The trusted host is impersonated and the ISN The trusted host is impersonated and the ISN
forged.forged. Connection attempt to a service that only requires Connection attempt to a service that only requires
address-based authentication.address-based authentication. If successfully connected, executes a simple If successfully connected, executes a simple
command to leave a backdoor.command to leave a backdoor.
IP Spoofing, CS265 7
IP Spoofing AttacksIP Spoofing Attacks
Man in the middleMan in the middle
RoutingRouting
Flooding / SmurfingFlooding / Smurfing
IP Spoofing, CS265 8
AttacksAttacksMan - in - the - middle:Man - in - the - middle:
Packet sniffs on link between the two Packet sniffs on link between the two endpoints, and therefore can pretend to be endpoints, and therefore can pretend to be one end of the connection.one end of the connection.
IP Spoofing, CS265 9
AttacksAttacks
Routing re-direct: Routing re-direct: redirects routing redirects routing information from the original host to the information from the original host to the attacker’s host.attacker’s host.
Source routing: Source routing: The attacker redirects The attacker redirects individual packets by the hacker’s host.individual packets by the hacker’s host.
IP Spoofing, CS265 10
AttacksAttacks
Flooding: SYN flood fills up the receive queue Flooding: SYN flood fills up the receive queue from random source addresses.from random source addresses.
Smurfing: ICMP packet spoofed to originate Smurfing: ICMP packet spoofed to originate from the victim, destined for the broadcast from the victim, destined for the broadcast address, causing all hosts on the network to address, causing all hosts on the network to respond to the victim at once. respond to the victim at once.
IP Spoofing, CS265 11
IP-Spoofing FactsIP-Spoofing Facts IP protocol is inherently weakIP protocol is inherently weak Makes no assumption about sender/recipientMakes no assumption about sender/recipient Nodes on path do not check sender’s identityNodes on path do not check sender’s identity There is no way to completely eliminate IP There is no way to completely eliminate IP
spoofingspoofing Can only reduce the possibility of attackCan only reduce the possibility of attack
IP Spoofing, CS265 12
IP-SpoofingIP-SpoofingCounter-measuresCounter-measures
No insecure authenticated servicesNo insecure authenticated services Disable commands like pingDisable commands like ping Use encryptionUse encryption Strengthen TCP/IP protocolStrengthen TCP/IP protocol FirewallFirewall IP tracebackIP traceback
IP Spoofing, CS265 13
No insecure authenticated No insecure authenticated servicesservices
r* services are hostname-based or IP-basedr* services are hostname-based or IP-based Other more secure alternatives, i.e., sshOther more secure alternatives, i.e., ssh Remove binary filesRemove binary files Disable in inet, xinetDisable in inet, xinet Clean up .rhost files and /etc/host.equivClean up .rhost files and /etc/host.equiv No application with hostname/IP-basedNo application with hostname/IP-based
authentication, if possibleauthentication, if possible
IP Spoofing, CS265 14
Disable ping commandDisable ping command ping command has rare useping command has rare use Can be used to trigger a DOS attack by Can be used to trigger a DOS attack by
flooding the victim with ICMP packetsflooding the victim with ICMP packets This attack does not crash victim, but consume This attack does not crash victim, but consume
network bandwidth and system resourcesnetwork bandwidth and system resources Victim fails to provide other services, and halts Victim fails to provide other services, and halts
if runs out of memoryif runs out of memory
IP Spoofing, CS265 15
DOS using PingDOS using Ping
IP Spoofing, CS265 16
Use EncryptionUse Encryption Encrypt traffic, especially TCP/IP packets and Encrypt traffic, especially TCP/IP packets and
Initial Sequence NumbersInitial Sequence Numbers
Kerberos is free, and is built-in with OSKerberos is free, and is built-in with OS
Limit session timeLimit session time
Digital signature can be used to identify the Digital signature can be used to identify the sender of the TCP/IP packet.sender of the TCP/IP packet.
IP Spoofing, CS265 17
Strengthen TCP/IP protocolStrengthen TCP/IP protocol Use good random number generators to Use good random number generators to
generate ISNgenerate ISN Shorten time-out value in TCP/IP requestShorten time-out value in TCP/IP request Increase request queue sizeIncrease request queue size Cannot completely prevent TCP/IP half-open-Cannot completely prevent TCP/IP half-open-
connection attackconnection attack Can only buy more time, in hopeCan only buy more time, in hope that the that the
attack will be noticed.attack will be noticed.
IP Spoofing, CS265 18
FirewallFirewall Limit traffic to services that are offeredLimit traffic to services that are offered Control access from within the networkControl access from within the network Free software: ipchains, iptablesFree software: ipchains, iptables Commercial firewall softwareCommercial firewall software Packet filters: router with firewall built-inPacket filters: router with firewall built-in Multiple layer of firewallMultiple layer of firewall
IP Spoofing, CS265 19
Network layout with Network layout with FirewallFirewall
IP Spoofing, CS265 20
IP Trace-backIP Trace-back To trace back as close to the attacker’s To trace back as close to the attacker’s
location as possiblelocation as possible Limited in reliability and efficiencyLimited in reliability and efficiency Require cooperation of many other network Require cooperation of many other network
operators along the routing pathoperators along the routing path Generally does not receive much attention Generally does not receive much attention
from network operatorsfrom network operators
IP Spoofing, CS265 21
Summary/ConclusionSummary/Conclusion
IP spoofing attacks is unavoidable.IP spoofing attacks is unavoidable.
Understanding how and why spoofing attacks Understanding how and why spoofing attacks are used, combined with a few simple are used, combined with a few simple prevention methods, can help protect your prevention methods, can help protect your network from these malicious cloaking and network from these malicious cloaking and cracking techniques.cracking techniques.
IP Spoofing, CS265 22
ReferencesReferences IP-spoofing Demystified (Trust-Relationship Exploitation),IP-spoofing Demystified (Trust-Relationship Exploitation), Phrack Magazine ReviewPhrack Magazine Review, Vol. 7, No. , Vol. 7, No.
4848,, pp. 48-14, pp. 48-14, www.networkcommand.com/docs/ipspoof.txtwww.networkcommand.com/docs/ipspoof.txt Security Enginerring: A Guide to Building Dependable Distributed SystemsSecurity Enginerring: A Guide to Building Dependable Distributed Systems , Ross Anderson, pp. , Ross Anderson, pp.
371371 Introduction to IP Spoofing, Victor Velasco, November 21, 2000, Introduction to IP Spoofing, Victor Velasco, November 21, 2000,
www.sans.org/rr/threats/intro_spoofing.phpwww.sans.org/rr/threats/intro_spoofing.php A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis,A Large-scale Distributed Intrusion Detection Framework Based on Attack Strategy Analysis,
Ming-Yuh Huang, Thomas M. Wicks, Ming-Yuh Huang, Thomas M. Wicks, Applied Research and TechnologyApplied Research and Technology, The Boeing Company, The Boeing Company Internet Vulnerabilities Related to TCP/IP and T/TCP, Internet Vulnerabilities Related to TCP/IP and T/TCP, ACM SIGCOMMACM SIGCOMM, Computer Communication , Computer Communication
ReviewReview IP Spoofing, IP Spoofing, wwwwww..linuxgazettelinuxgazette..comcom/issue63//issue63/sharmasharma..htmlhtml Distributed System: Concepts and DesignDistributed System: Concepts and Design, Chapter 7, by Coulouris, Dollimore, and Kindberg, Chapter 7, by Coulouris, Dollimore, and Kindberg FreeBSD IP Spoofing, FreeBSD IP Spoofing, wwwwww..securityfocussecurityfocus..comcom/advisories/2703/advisories/2703 IP Spoofing Attacks and Hijacked Terminal Connections, IP Spoofing Attacks and Hijacked Terminal Connections, www.cert.org/advisories/CA-1995-www.cert.org/advisories/CA-1995-
01.html01.html Network support for IP trace-back, Network support for IP trace-back, IEEE/ACM Transactions on NetworkingIEEE/ACM Transactions on Networking, Vol. 9, No. 3, June , Vol. 9, No. 3, June
20012001 An Algebraic Approach to IP Trace-back, An Algebraic Approach to IP Trace-back, ACM Transactions on Information and System ACM Transactions on Information and System
SecuritySecurity, Vol. 5, No. 2, May 2002, Vol. 5, No. 2, May 2002 Web Spoofing. An Internet Con Game, Web Spoofing. An Internet Con Game, httphttp://bau2.://bau2.uibkuibk.ac.at/.ac.at/maticmatic/spoofing./spoofing.htmhtm
IP Spoofing, CS265 23
Questions / AnswersQuestions / Answers